```yaml
title: FakeCaptcha Clipboard Injection via Explorer
id: edr-win-exec-clipboard-injection
status: stable
description: >
Detects ClickFix/FakeCaptcha behavior where users are prompted to paste
malicious shell commands via the Win+R run dialog. Catches mshta.exe and
cmd/powershell spawning from explorer.exe with suspicious command lines
containing download cradles, encoded commands, clipboard operations, or
obfuscation tricks including em/en dash abuse to bypass flag matching.
references:
- https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape
- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
author: ShroudCloud
date: 2026/04/16
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_base:
ParentImage|endswith: '\explorer.exe'
selection_mshta:
Image|endswith: '\mshta.exe'
CommandLine|contains|none:
- 'start.hta'
selection_cmdline_tools:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\conhost.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'Invoke-Expression'
- 'Invoke-RestMethod'
- 'Net.WebClient'
- 'DownloadString'
- 'iex'
- 'irm '
- 'Set-Content'
- 'Get-Content'
- 'Set-Clipboard'
- 'Get-Clipboard'
- 'Expand-Archive'
- 'SW52b2tlLVdlYlJlcXVlc3Q'
- 'SW52b2tlLUV4cHJlc3Npb24'
- 'aWV4'
- 'aXJtIA'
- '[scriptblock]::Create'
- '[string]::join('
- '[Array]::Reverse(